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DETAILED ACTION 

This office action is in response to amendments and remarks filed on May 20, 2009. 
Claims 1-24 are pending. 

Response to Arguments 
Applicant's arguments filed on May 20, 2009 have been fiilly considered but they are not 
persuasive because of the following reasons: 

Applicants argued regarding independent Claims 1,7, 15, and 1 1 and stated that the cited 
Lineman et al. (U. S. Publication No.: 2003/0065942) teaches "the disclosed software enables a 
security administrator to create and edit a security policy document (block 70), and this is 
different from the recitations of claims 1, 12, and 21 ". 

This is not found persuasive. The system of cited prior art provides a security policy 
management method that involves creating security policy document and automatically 
distributing it to users to verify their degree of compliance with policy The method also provides 
a running a policy management program on a computer connected with a network to enable 
creation of a security policy document and enabling the users to view the created document. The 
method then involves receiving electronic data relevant to the user compliance with the security 
policy using policy management program ([0036-0039, and 0078-0096]). 

As a result, the system of cited prior art does implement and teaches a risk assessments 
regarding the seciirity of information maintained by entities on shared networks. 
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Applicants clearly have failed to explicitly identify specific claim limitations, which 
would define a patentable distinction over prior arts. 

The examiner will not interpret to read narrowly the claim language to read exactly from 
the specification, but will interpret the claim language in the broadest reasonable interpretation in 
view of the specification. Therefore, the examiner asserts that the system of cited prior arts does 
teach or suggest the subject matter broadly recited in independent Claims and subsequent 
dependent Claims. Accordingly, rejections for claims 1-24 are respectfiiUy maintained. 

Claim Rejections - 35 USC § 101 
1 . Applicant amended the claims, previous rejection under 35 U.S.C. 101 has been 
withdrawn. 

Claim Rejections - 35 USC § 102 
1 . The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the Enghsh language. 



2. Claims 1-24 are rejected under 35 U.S.C. 102(e) as being anticipated by Lineman et al. 
(U. S. Publication No.: 2003/0065942). 
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3. Regarding Claim 1, Lineman teaches and describes a method for implementing a security 
risk assessment for a merchant entity having connectivity to a shared network, the method 
comprising: receiving at a host computer system including a processor , from each of a plurality 
of payment-processing organizations, a set of security requirements defining protocols for 
implementing commercial transactions over the shared network using instruments identified with 
the payment-processing organization; developing , with the processor at the computer system a 
security test scheme having a set of test requirements whose satisfaction by the merchant entity 
is sufficient to ensure compliance with the sets of security requirements defined by each of the 
plurality of payment-processing organizations; and performing a remote scan of a network site 
maintained by the merchant entity on the shared network in support of shared-network 
commercial fransactions with a security compliance authority server by the computer system, the 
remote scan implementing at least a subset of the set of test requirements to evaluate compliance 
by the merchant entity ([0036-0039, and 0078-0096]). 

4. Regarding Claim 12, Lineman teaches and describes a method for assessing a security 
risk for a merchant entity having connectivity to a shared network, the method comprising: 
receiving, a host computer system including a processor information describing characteristics of 
the merchant entity from the merchant entity; determining a host computer system including the 
processor which test requirements of a security test scheme to use in assessing the security risk 
for the merchant entity, wherein the security test scheme includes a set of test requirements 
whose satisfaction by the merchant entity is sufficient to ensure compliance with a plurality of 
sets of security requirements defined by a plurality of payment-processing organizations; and 
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executing the security test scheme with a security compliance authority server in accordance 
with the determined test requirements ([0036-0039, and 0078-0096]). 

5 . Regarding Claim 2 1 , Lineman teaches and describes a computer-readable storage 
medium having a computer-readable program embodied therein for direction operation of a 
security compliance authority server including a communications system, a processor, and a 
storage device, wherein the computer-readable program includes instructions for operating the 
security compliance authority server to assess a security risk for an merchant entity having 
connectivity to a shared network in accordance with the following: receiving, with the 
communications system, information describing characteristics of the merchant entity; 
determining, with the processor, which test requirements of a security test scheme to use in 
assessing the security risk for the merchant entity, wherein the security test scheme is stored on 
the storage device and includes a set of test requirements whose satisfaction by the merchant 
entity is sufficient to ensure compliance with a pliirality of sets of security requirements defined 
by a plurality of payment-processing organizations; and executing, with the processor, the 
security test scheme in accordance with the determined test requirements ([0036-0039, and 0078- 
0096]). 



6. Claims 2-11, 13-20, and 22-24 are rejected applied as above rejecting Claims 1, 12, and 
21. Furthermore, Lineman teach and describe a method and apparatus for establishing a security 
policy wherein: 
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As per Claim 2, further comprising transmitting a questionnaire to the merchant entity 
with the security compliance authority server, the questionnaire including queries whose truthful 
response identifies a level of compliance with at least some of the test requirements ([0084- 
0086]). 

As per Claim 3, further comprising scheduling an on-site audit at the merchant entity 
with the security compUance authority server, the on-site audit being structured to follow a 
prescribed methodology for identifying a level of compliance with at least some of the test 
requirements ([0084-0088]). 

As per Claim 4, a satisfaction level of the test requirements required for compliance with 
the test requirements is dependent on a characteristic of the merchant entity ([0087-0091]). 

As per Claim 5, the characteristic comprises a shared-network transaction volume 
processed by the merchant entity over the shared network ([0090]). 

As per Claim 6, a frequency of performing the remote scan is dependent on a 
characteristic of the merchant entity ([0093-0094]). 

As per Claim 7, the characteristic comprises a shared-network transaction volume 
processed by the merchant entity over the shared network ([0090]). 

As per Claim 8, further comprising receiving information describing characteristics of the 
merchant entity from the merchant entity at trhe host computer system to limit parameters of the 
remote scan ([0092-0094]). 

As per Claim 9, fiirther comprising generating a report at the host computer system 
summarizing a level of compliance by the merchant entity with the set of test requirements as 
determined from performing the remote scan ([0083-0096]). 
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As per Claim 10, the merchant entity comprises an Internet merchant ([0025-0029]). 

As per Claim 1 1 . The method recited in claim 1 wherein the merchant entity comprises 
an Internet merchant gateway ([0025-0029]). 

As per Claim 13, executing the security test scheme comprises performing a remote scan 
of a network site maintained by the merchant entity on the shared network in support of shared- 
network commercial transactions with the security compliance authority server ([0078-0088]). 

As per Claim 14, executing the security test scheme comprises scheduling an on-site 
audit at the merchant entity with the security compliance authority server, the on-site audit being 
structured to follow a prescribed methodology for identifying a level of compliance with at least 
some of the test requirements ([0078-0088]). 

As per Claim 15, executing the security test scheme comprises transmitting a 
questionnaire from the host computer system to the merchant entity with the security compliance 
authority server, the questionnaire including queries whose truthful response identifies a level of 
compliance with at least some of the test requirements ([0078-0088]). 

As per Claim 16, determining which test requirements of the security test scheme to use 
in assessing the security risk for the merchant entity is dependent on a characteristic of the 
merchant entity ([0087-0091]). 

As per Claim 17, the characteristic comprises a shared-network transaction volume 
processed by the merchant entity over the shared network ([0088-0090]). 

As per Claim 18, fiirther comprising generating a report at the host computer system 
summarizing a level of compliance by the merchant entity with the set of determined test 
requirements as evaluated from executing the security test scheme ([0072-0091]). 
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As per Claim 19, the merchant entity comprises an Internet merchant ([0025-0029]). 
As per Claim 20, the merchant entity comprises an Internet merchant gateway ([0025- 

0029]). 

As per Claim 22, the instructions for executing the security test scheme comprise 
instructions for performing a remote scan of a network site maintained by the merchant entity on 
the shared network in support of shared-network commercial transactions ([0072-0091]). 

As per Claim 23, the instructions for executing the security test scheme comprise 
instructions for scheduling an on-site audit at the merchant entity ([0072-0091]). 

As per Claim 24, the instructions for executing the security test scheme comprise 
instructions for transmitting a questionnaire to the merchant entity ([0072-0091]). 

Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS Irom the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated fi-om the mailing date of the advisory action. In no event. 
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however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to SYED ZIA whose telephone number is (571)272-3798. The 
examiner can normally be reached on 9:00 to 5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

sz 

August 12, 2009 
/Syed Zia/ 

Primary Examiner, Art Unit 243 1 



